Can You Stay HIPAA Compliant Using a Cloud System?

Cloud computing is widely accepted across all industries and platforms.  But if your firm is bound by HIPAA compliance issues, you may be wondering the host of available solutions comply with these privacy and security regulations. Whether you are looking to add cloud-based applications to your network, or you are a provider of cloud based services which works with medical entities,  it is important to understand the nuances of the rules in order to ensure HIPAA compliant cloud computing.

What is Cloud Computing? Cloud resources are network services which offer online access to shared computing resources. This may include data storage, electronic medical record systems, or even photo storage and email programs. The main attribute of cloud computing which concerns HIPAA compliance is that it is any service which touches your organization, but is not under your local control.

HIPAA Definitions

Individually identifiable health information ( protected health information or PHI)  is covered by HIPAA compliance regulation which protect a patient’s private health data and information. A covered entity is generally a health care provider (or medical plan) which in the course of business, conducts electronic billing and payment related transactions.  A business associate performs functions or activities on behalf of a covered entity, but is not a legal subsidy of the covered entity. This may be an offsite data storage facility, or an accounting firm. Both the HIPAA covered entity and all of its business associates are required to maintain HIPAA compliance.

HIPAA Compliant Crowd Computing – Factors to Consider

• May a HIPAA covered entity or business associate use a cloud service to store or process ePHI? Yes, as long as the  covered entity and the business associate execute a HIPAA-compliant business associate contract or agreement (BAA).  The BAA outlines the allowable uses and required disclosures of electronic personal health information (ePHI) by the business associate; it also contractually establishes that the business associate must appropriately protect the ePHI according to HIPAA standards.
• A covered entity (medical organization) who hires a service provider to be a business associate should make an effort to adequately understand the cloud computing solution they are engaging, so that an appropriate risk analysis can be performed on a regular basis.
• The covered entity can address HIPAA compliance concerns within the terms of the agreement, such as
  • System availability and reliability;
  • Back-up and data recovery procedures in the event of a cyber or malware attack
  • Use, retention and disclosure limitations
• If a covered entity or business associate enters into a services agreement with a managed services provider for cloud based solutions,  it must ensure that the terms are consistent with the BAA and the HIPAA Rules. 
• A service provider which stores encrypted ePHI without a decryption key still falls under the rules and requirements of the BAA.  As the service provider receives and maintains electronic protected health information (ePHI), the lack of an encryption key does not exempt them from having to be covered by the BAA. It has been determined that while encryption protects ePHI significantly, this protection cannot adequately solely protect the confidentiality, integrity, and availability of ePHI as required.
• HIPAA rules do not require a cloud computing services provider (assuming they are a BAA) to provide documentation, or allow auditing, of their security practices by their customers who are covered entities. However, customers may require a service provider to provide documented assurances of protections for the PHI, such as audit procedures, based on their individual risk analysis and risk management activities.

If you are considering outsourcing your data and are bound by HIPAA regulations, finding a HIPAA compliant cloud computing service provider is a necessity. At Alliance IT, we are proud to provide state of the art protections to address the threats, challenges and regulations you face. Call us today to discuss how we might help you to navigate your HIPAA compliance and network computing.